Measurement and Analysis of Spyware in a University Environment Stefan Saroiu, Steven D. Gribble, and Henry M. Levy Department of Computer Science & Engineering University of Washington ftzoompy,gribble,[email protected] Abstract this common usage.1 Spyware may also appropriate re- sources of the computer that it infects [15] or alter the Over the past few years, a relatively new computing functions of existing applications on the affected com- phenomenon has gained momentum: the spread of “spy- puter to the benefit of a third party [12]. ware.” Though most people are aware of spyware, the Spyware poses several risks. The most conspicuous research community has spent little effort to understand is compromising a user’s privacy by transmitting infor- its nature, how widespread it is, and the risks it presents. mation about that user’s behavior. However, spyware This paper is a first attempt to do so. can also detract from the usability and stability of a We first discuss background material on spyware, in- user’s computing environment, and it has the potential cluding the various types of spyware programs, their to introduce new security vulnerabilities to the infected methods of transmission, and their run-time behavior. host. Because spyware is widespread, such vulnerabil- By examining four widespread programs (Gator, Cydoor, ities would put millions of computers at risk. In Sec- SaveNow, and eZula), we present a detailed analysis of tion 5, we demonstrate vulnerabilities within versions of their behavior, from which we derive signatures that can two widely deployed spyware programs, and we discuss be used to detect their presence on remote computers the potential impact of such flaws. through passive network monitoring. Using these signa- Though most people are aware of spyware, the re- tures, we quantify the spread of these programs among search community has to date spent little effort under- hosts within the University of Washington by analyzing a standing the nature and extent of the spyware problem. week-long trace of network activity. This trace was gath- This paper is an initial attempt to do so. First, we give an ered from August 26th to September 1st, 2003. overview of spyware in general, in which we discuss the From this trace, we show that: (1) these four pro- various kinds of spyware programs, their behavior, how grams affect approximately 5.1% of active hosts on cam- they typically infect computers, and the proliferation of pus, (2) many computers that contain spyware have more new varieties of spyware programs. Next, we examine than one spyware program running on them concur- four particularly widespread spyware programs (Gator, rently, and (3) 69% of organizations within the university Cydoor, SaveNow, and eZula), and we present a detailed contain at least one host running spyware. We conclude description of their behavior. Our examination was lim- by discussing security implications of spyware and spe- ited to software versions released between August 2003 cific vulnerabilities we found within versions of two of and the January 2004; as such, our observations and re- these spyware programs. sults might not hold for other versions. Based on our examination, we derive network signa- tures that can be used to detect the presence of these pro- 1 Introduction grams on remote computers by monitoring network traf- fic. With these signatures, we gather a week-long trace Over the past few years, a relatively new computing of network traffic exchanged between the University of phenomenon has gained momentum: the spread of spy- Washington (a large public university) and the Internet, ware. Although there is no precise definition, the term 1Deciding whether a particular program should be called spyware “spyware” is commonly used to refer to software that, or not can be both dif®cult and delicate. In practice, there is a con- from a user’s perspective, gathers information about a tinuous spectrum of program behavior that spans from malicious and computer’s use and relays that information back to a invasive to fully legitimate. In this paper, we use the term spyware very third party. This data collection occurs sometimes with, broadly, and in general apply the term as might be commensurate with the experience of an unsophisticated user. However, we are careful to but often without, the knowing consent of the user. In describe the precise behavior of individual programs discussed in this this paper, we use the term spyware in conformity with paper. from August 26th to September 1st, 2003. We perform a unwanted complexity. The combination of these two quantitative study of spyware based on this trace, charac- properties makes it difficult to prevent spyware programs terizing the spread of the four spyware programs within from gathering the information they want, or for the user the university. to detect when such information is being harvested or Though hundreds of spyware programs exist, our transmitted. As is often the case, there is a tension be- findings show that these four programs alone affect ap- tween usability and security, and to date market pressures proximately 5.1% of active university hosts, and that appear to favor usability. these hosts often have more than one spyware pro- gram running. Additionally, we find that a major- 2.1 Classes of Spyware ity of organizations within the university contain at There are many different kinds of spyware. Borrow- least one spyware-infected host, suggesting that existing ing from the terminology used in SpyBot S&D [17], organization-specific security policies and mechanisms a free spyware removal tool, we define the following (such as perimeter firewalls) are not effective at prevent- classes: ing spyware installation. Even though our measurements are gathered at only one site, and hence may not be rep- • Cookies and Web bugs: Cookies are small pieces resentative of the Internet at large, we believe our results of state stored on individual clients’ Web browsers confirm that spyware is a significant problem. on behalf of Web servers. Cookies can only be re- The rest of this paper is organized as follows. In Sec- trieved by the Web site that initially stored them. tion 2 we set the context of our study with a brief discus- However, because many sites use the same adver- sion on the general characteristics of spyware. In Sec- tisement provider, these providers can potentially tion 3 we narrow our focus to four prevalent spyware track the behavior of users across many Web sites. programs, giving a detailed description of their behav- Web bugs – invisible images embedded on pages ior. Section 4 presents quantitative results based on our – are related to cookies in that advertisement net- week-long network trace. We discuss implications of our works often contract with Web sites to place such results in Section 5, we present related work in Section 6, bugs on their pages. Cookies and Web bugs are and we conclude in Section 7. purely passive forms of spyware; they contain no code of their own, relying instead on existing Web 2 A Brief Spyware Primer browser functions. Spyware exists because information has value. For • Browser hijackers: Hijackers attempt to change example, information gathered about the demographics a user’s Web browser settings to modify their start and behavior of Internet users has value to advertisers, page, search functionality, or other browser settings. the ability to show advertisements correlated with user Hijackers, which predominantly affect Windows behavior has value to product vendors, and gathering operating systems, may use one of several mecha- keystrokes or introducing backdoor vulnerabilities on a nisms to achieve their goal: installing a browser ex- host has value to attackers. As long as this value ex- tension (called a “browser helper object,” or BHO), ists, there will be incentive to create spyware programs modifying Windows registry entries, or directly to capitalize on it. modifying or replacing browser preference files. People are typically exposed to spyware as a result • Keyloggers: Keyloggers were originally designed of their behavior. Users may install popular software to record all keystrokes of users in order to find packages that contain embedded spyware, Web sites passwords, credit card numbers, and other sensitive may prompt users to install Web browser extensions information. Keyloggers have expanded in scope, that contain spyware, and Web browsers retain ‘cookies’ capturing logs of Websites visited, instant messag- to track user behavior across collections of cooperating ing sessions, windows opened, and programs exe- Web sites. The constant growth in the number of Inter- cuted. net users and the increasing amount of time users spend on the Internet have served to amplify users’ exposure to • Tracks: A “track” is a generic name for informa- spyware. tion recorded by an operating system or application Spyware succeeds because today’s desktop operating about actions the user has performed. Examples of systems make spyware simple to build and install. Op- tracks include recently visited Website lists main- erating systems and applications are designed to be ex- tained by most browsers and lists of recently opened tensible, and as a result, there are numerous interfaces files and programs maintained by most operating for interposing on events and interacting with other pro- systems. Although a track is typically innocuous grams. Operating systems also tend to hide informa- on its own, tracks can be mined by malicious pro- tion about background activities to shield users from grams. • Malware: Malware refers to a variety of malicious cookies spyware browser key- and web tracks malware spybots software, including viruses, worms, trojan horses, category hijackers loggers and automatic phone dialers (which attempt to dial bugs # of DB 34 153 62 231 168 142 modems to connect to expensive services). entries • Spybots: Spybots are the prototypical example of Table 1.